VShell Vulnerability

Created 2/23/01
CVE 2001-0155
CVE 2001-0156

Impact

A remote attacker could execute arbitrary commands on the server with the privileges of the VShell server.

Background

VShell is a secure shell server for Windows NT and Windows 2000. It uses the SSH2 protocol and allows system administration tasks to be performed remotely and securely from any standard SSH2 client. It also supports port forwarding, so that other services can be used securely through an encrypted tunnel.

The Problem

CVE 2001-0155
VShell contains a buffer overflow condition in the code which processes user names. This condition could be exploited remotely to execute arbitrary commands with the same privileges as the VShell service.

CVE 2001-0156
A second problem is that there is a default port forwarding rule of 0.0.0.0/0.0.0.0 to any port, which could allow any user with an account on the server to access any port on any host which is accessible from the server running VShell. If the server is a gateway to a protected network, this could provide a means of bypassing the protection, thus exposing the internal network.

VShell 1.0 and 1.0.1 are affected by these vulnerabilities.

Resolution

Upgrade to VShell version 1.0.2 or higher.

It is also a good idea to restrict access to the VShell server so that it can only be used from authorized client hosts. This is done by the following steps:

  1. From the control panel, double click on the VShell icon
  2. Select Connection Filters from the left hand side
  3. Delete the default rule of action Allow Source 0.0.0.0/0.0.0.0
  4. Add the new filters which specify which hosts are allowed to connect to the SSH gateway
The default port forwarding problem can be fixed using these steps:
  1. From the control panel, double click on the VShell icon
  2. Select Port-Forward Filters from the left hand side
  3. Delete the default rule of action Allow Target 0.0.0.0/0.0.0.0
  4. If port forwarding is required, add the new filters which specify which hosts can be forwarded to

Where can I read more about this?

This vulnerability was reported in an @stake security advisory.